The Domain Name System (DNS) is a naming system for devices and resources connected to the Internet or other networks. The DNS improves the user friendliness of network navigation by employing “resolvers” and domain name servers to translate easy-to-remember domain names to numerical IP addresses. For example, the DNS translates a website such as www.verisign.com to a wide range of data including IPv4 addresses, IPv6 addresses, email services, and more.
Domain names form a tree-like hierarchical name space. Each node in the tree, except the leaf nodes, is called a domain. At the top of the tree, the root domain delegates authority to Top Level Domains (TLDs) like .com, .net, .org, and .edu. The TLDs then delegate authority to create Second-Level Domains (SLDs), such as the colostate.edu domain, the verisign.com domain; and so forth. The repository of information that makes up the domain database is divided up into logical name spaces called zones. Each zone belongs to a single administrative authority and is served by a set of authoritative name servers. The multiple servers for each zone provide redundancy and fault tolerance.
TLDs such as .com and .net play a crucial role in the DNS. Popular TLDs are arguably more important than the DNS root because of the DNS's name space fan-out. For example, after a resolver learns the .com referral from the root, that referral is cached, and the resolver can send all subsequent queries for .com addresses to the .com TLD name server. The resolver will not have to query the root again until the cached information expires. However, every unique SLD, such as verisign.com, must be sent to the .com TLD name server when first looked up. There are over 100 million zones under .com and .net, and only a portion of these zones is cached at any given time. A collapse of all .com or .net TLD name servers would thus render unreachable any zones that are not cached.
TLD attacks are relatively easy to perpetrate due to the nature of DNS communications. That is, DNS communications are typically sent via the User Datagram Protocol (UDP). UDP is a simple communication protocol for transmitting small data packets without a connection handshake, acknowledgment, ordering, or error correction. The low processing overhead of UDP makes it useful for streaming media applications such as video and Voice over IP, and for answering small queries from many sources, such as in DNS resolution. Unfortunately, these same properties allow attackers to use DNS resolution for nefarious purposes. Because UDP is connectionless, an attacker can “spoof” the source address (that is, forge a false source IP address in the IP packet such that the DNS server sends the query response to a third party) without having to worry about completing a connection handshake, resulting in the DNS server sending responses to a machine that never sent a query. Moreover, the query message can be relatively small (under 512 bytes) while the resulting response can be substantially larger due to large numbers of resource records in the response. This allows an attacker to leverage a DNS server to magnify an attack. DNS queries and response may also be sent over stateful Transmission Control Protocol (TCP), which exhibits similar vulnerabilities that can also be managed using embodiments of the invention disclosed herein.
Some attacks target the TLD itself. For example, an “outage” attack floods a TLD with queries in an attempt to either knock the TLD offline or overwhelm to the extent that it cannot respond to legitimate queries.
Other attacks use TLDs to multiply attack traffic aimed at third-party servers. In a “reflector” attack, for example, an attacker issues multiple DNS queries using a forged source address(es), causing the TLD to direct all responses toward the innocent victim, swamping the victim's host servers.
A third type of attack occurs when many queries all request the same SLD. The attacker may be trying to prod the TLD into defending itself by preemptively blacklisting the entire subdomain. Alternatively, the attacker may simply not bother to randomize the entire query name of each attack packet.
Collectively, these attacks are referred to as Distributed Denial-of-Service (DDoS) attacks because their purpose is to knock the target server offline, with the result that it cannot serve legitimate clients.